Wireless Access

Reply
Highlighted
Contributor II

Branch setup

I'm manually setting up a 7005 branch controller in 8.5 to a 7010 VPNC. I have a tunnel between the MM and the VPNC, and tunnel between the VPNC and the branch controller. But the MM show the branch as down.  I added the branch to the Controllers list and the branch has the MM IP. Any clues as to where I should look next? Thanks for any help.


Accepted Solutions
Highlighted
Contributor II

Re: Branch setup

I got this working with Aruba TAC's help. Needed to use Mgmt mac address for MM and backup MM when running VPNC setup script. -- Jim

View solution in original post


All Replies
Highlighted
MVP Expert

Re: Branch setup

Try the following :

Under the MM add the Branch Controller :

local-peer-mac "branch device mac" ipsec


Under the /md/VPNC add the Branch Controller :

vpn-peer peer-mac "branch device mac" cert-auth factory-cert
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor II

Re: Branch setup

Thanks for the suggestion but there is no change. The branch gets an IP from the VPNC.  I see ipsec tunnels to /mm and branch from the VPNC. The branch logs show

Apr 2 09:02:01 :103103:  <3316> <WARN> |ike|   IKE SA Deletion: IKE2_delSa peer:<IP>:4500 id:2592555168 errcode:ERR_IKESA_EXPIRED saflags:0x41000005 arflags:0x20

Thanks!

Highlighted
MVP Expert

Re: Branch setup

How are you pointing the Branch controller to the VPNC?

Do you have a firewall between the VPNC and Branch controller ? if so are you allowing UDP/4500 ?




Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor II

Re: Branch setup

There is no firewall. In the initial setup I listed the VPNC IP. The output of 'show conf effective' show the vpn-ip as the VPNC IP.  Show ip route list the VPNC IP as an ipsec map management-vpnc. Show datapath session shows limited traffic between the branch and VPNC but keeps resetting. Thanks!

Highlighted
MVP Expert

Re: Branch setup

Do you have something similar to this on the Branch MC :

masterip “MM IP” vpn-ip "VPNC Public IP/VRRP IP NAT if using two VPNCs” ipsec-factory-cert vpn-mac-1 "VPNC1 mac address” vpn-mac-2 "VPNC2 mac address” interface vlan “mgmt VLAN”



Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: Branch setup

Yes, very similar. I'm using public IP addresses to try to keep it simple. I only have a single VPNC. Default gw is on the same subnet. The vpn-mac-1 that I have doesn't match the VPNC mac. I'm not sure where it came from -- possibly another branch controller I had been working with. Not sure how to change that line. Thanks.

Highlighted
Contributor II

Re: Branch setup

Sorry, I misread the mac address above. It is the correct mac address of the VPNC controller.

Highlighted
Contributor II

Re: Branch setup

I got this working with Aruba TAC's help. Needed to use Mgmt mac address for MM and backup MM when running VPNC setup script. -- Jim

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: